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                        WEDNESDAY, JUNE 18, 2008

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:04 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Joseph I. 
Lieberman, Chairman of the Committee, presiding.
    Present: Senators Lieberman, Akaka, Carper, and Collins.

            OPENING STATEMENT OF CHAIRMAN LIEBERMAN

    Chairman Lieberman. Good morning and welcome to our hearing 
today on Federal efforts to protect personal privacy. I want to 
welcome our distinguished panel and also particularly commend 
the Government Accountability Office (GAO), Ms. Koontz, for 
your excellent work on the report that is being released today 
on the Federal Government's privacy efforts.\1\ I also want to 
particularly thank our colleague and dear friend, Senator 
Akaka, who has taken a particular interest in government 
privacy issues and has encouraged Senator Collins and me to 
convene today's hearing.
---------------------------------------------------------------------------
    \1\ The GAO Report on Privacy appears in the Appendix on page 98.
---------------------------------------------------------------------------
    We live in an age that really is defined by information. 
The explosion of new technologies to gather, share, and store 
huge quantities of information has made possible significant 
advances in every aspect of our lives, including more efficient 
and effective governmental programs. But these same 
technologies have also dramatically altered the privacy 
landscape. It is easier than ever for government and private 
entities to acquire large amounts of personal information about 
people--information that can cause harm to those people if 
improperly disclosed or used.
    Loss of privacy, for instance, can lead to crimes such as 
identify theft or stalking. The dissemination or misuse of 
certain private data can also result in the loss of employment, 
discrimination, harassment, or surveillance. So it is 
essential, obviously, for government to collect and use 
personal information--for example, to provide security, conduct 
law enforcement, or administer and extend governmental 
benefits. But we also have to do everything we possibly can to 
ensure that in collecting and using personal information, we 
tread very carefully because when dealing with the personal 
information of individual Americans, we have got to properly 
balance our policy goals against potential incursions on their 
privacy.
    Congress constructed a foundation for respecting individual 
privacy within the Federal Government in the landmark Privacy 
Act of 1974 which seeks to prohibit unauthorized disclosure of 
personal information, ensure the accuracy and relevance of 
information collected by the government, and provide 
individuals with access to their information and a means of 
redressing errors. Six years ago, the law was strengthened by 
the Electronic Government Act of 2002, the so-called E-
Government Act, which went through this Committee on its way to 
becoming law. That Act now requires that agencies analyze in 
advance the potential privacy impacts of new information 
systems and data collections, and minimize those potential 
risks. One of the questions I want to ask today is whether 
governmental agencies are fulfilling their obligations under 
the E-Government Act.
    Obviously, notwithstanding these two pieces of legislation, 
we know that there is much more to do, and the GAO report makes 
that clear.
    New technologies and data practices have overtaken some of 
the core definitions of the Privacy Act of 1974. That is, in 
the world of information collection and dissemination, 
millennia ago. For instance, in 1974, Congress simply could not 
foresee the government's use of what are now called ``private 
data brokers''--a totally unimagined line of enterprise in 
1974--with access to extensive personal information about 
individuals. So we now need to ensure that this practice does 
not become an end run around the protections of the Privacy 
Act. I know that is not the intention. These private data 
brokers are of significant assistance both to the government 
and, of course, the private sector. But, still, we have to be 
concerned about privacy.
    New policy demands, including some of the homeland security 
efforts that have originated in this Committee, call for 
sharing information among a wider array of agencies. Security 
concerns combined with new technologies, such as biometrics, 
are driving the collection of new types of personal 
information. The American people may have justifiable concerns 
about sharing their personal information when the government is 
collecting and storing their fingerprints, retinal scans, even 
their DNA, and we have to reassure them. We need to look 
closely to see how these new programs and practices intersect 
with existing privacy law and what adjustments may be 
necessary.
    When we created the Department of Homeland Security, 
however, we did mandate the establishment of a Chief Privacy 
Officer within the Department to address what we knew would be 
challenging questions as to how to integrate privacy 
considerations--including implementation of government privacy 
law--into the critical mission, the new mission post-September 
11, 2001, of homeland security. I am pleased that the second 
person to hold that position, Mr. Teufel, is one of our 
witnesses today. Incidentally, Senator Collins and I working 
closely together with other Members of the Committee, also 
created an expanded network of privacy officials as part of the 
two laws that originated in this Committee that enacted 
recommendations of the 9/11 Commission.
    But the question remains whether we have adequate 
leadership and resources devoted to privacy at the government-
wide level. In 2003, in response to another request from this 
Committee, GAO concluded that the Office of Management and 
Budget (OMB) needed to assert more leadership on privacy 
questions to ensure that the agencies of our government were 
actually carrying out their responsibilities under the Privacy 
Act and other government privacy law. In fact, today there is 
no one in OMB, no office in the Federal Government, no high-
level official, not even, as far as I can determine, a 
political appointee or member of the Senior Executive Service 
(SES), whose job it is to focus full time on government-wide 
privacy policy. This contrasts, interestingly enough, with many 
other countries, including those of our friends and allies in 
Europe, which have elevated privacy policy to the highest 
levels of their governments. This absence of leadership for 
privacy in the U.S. Government I know is a message we will hear 
loud and clear today.
    So I look forward to the testimony, and then to working 
together to ensure our privacy laws continue to provide 
appropriate and meaningful protections for our citizens. It 
sure does look to me, based on the GAO report, that it is time 
for us to do an updating and overall revision of the Privacy 
Act of 1974.
    [The prepared statement of Senator Lieberman follows:]
                PREPARED STATEMENT OF SENATOR LIEBERMAN
    Good morning and welcome to our hearing today on federal efforts to 
protect personal privacy. I want to welcome our distinguished panel and 
also commend the Government Accountability Office for its excellent 
work on this issue, as reflected in their report being released today 
on the federal government's privacy efforts. I also want to thank my 
colleague, Senator Akaka, who has taken a particular interest in 
government privacy issues and encouraged Senator Collins and me to 
convene today's hearing.
    We live in an ``information age,'' and the explosion of new 
technologies to gather, share, and store huge quantities of information 
has made possible huge advances in every aspect of our lives, including 
more efficient and effective government programs. But these same 
technologies have also dramatically altered the privacy landscape. It 
is easier than ever for government and private entities to acquire 
large amounts of personal information about people--information that 
can cause harm to those people if it is improperly used or disclosed.
    For the individual, loss of privacy can lead to crimes such as 
identify theft or stalking. The dissemination or misuse of certain 
private data can also result in other harms such as loss of employment, 
discrimination, or unwarranted harassment or surveillance. Certainly, 
it is essential for government to collect and use personal 
information--for example to provide security, conduct law enforcement, 
or administer benefits. But we must strive to ensure that we tread 
carefully when dealing with the personal information of individuals and 
that we properly balance our many policy goals against potential 
incursions on privacy.
     Congress constructed a foundation for respecting individual 
privacy within the federal government in the landmark Privacy Act of 
1974 which seeks to prohibit unauthorized disclosure of personal 
information, ensure the accuracy and relevance of information collected 
by the government, and provide individuals with access to their 
information and a means of redress for errors. Six years ago, that law 
was buttressed by the Electronic Government Act of 2002, which I 
introduced and had the privilege of guiding through this Committee on 
its way to becoming law. The E-Government Act requires that agencies 
analyze in advance the potential privacy impacts of new information 
systems and data collections, and minimize those potential risks. But 
we know there is more to do.
    New technologies and data practices have overtaken some of the core 
definitions of the Privacy Act. For instance, the Act simply could not 
foresee the government's use of private data brokers with access to 
extensive personal information about individuals, and we need to ensure 
this practice does not become a serious end-run around the protections 
of the Privacy Act.
    New policy demands--including some of the homeland security efforts 
that are of vital concern to this Committee--call for sharing 
information among a wider array of agencies. Security concerns combined 
with new technologies, such as biometrics, are also driving the 
collection of new types of personal information. Americans may have 
justifiable concerns about sharing their personal information when the 
government is collecting and storing their fingerprints, retinal scans, 
even their DNA. We need to look closely to see how these new programs 
and practices intersect with existing privacy law, and what adjustments 
may be necessary.
    This Committee has recognized the need for dedicating officials and 
resources to address privacy concerns within government, particularly 
as we tackle challenging new missions such as homeland security. When 
we created the Department of Homeland Security, we mandated the 
establishment of a Chief Privacy Officer within the department to 
address what we knew would be challenging questions as to how to 
integrate privacy considerations--including implementation of 
government privacy law--into the critical mission of homeland security. 
I am pleased that the second individual to hold that position, Mr. 
Teufel, is one of our witnesses today. We also created an expanded 
network of privacy officials as part of the two laws enacting 
recommendations of the 9/11 Commission.
    But the question remains whether we have adequate leadership and 
resources devoted to privacy at the government-wide level. In 2003, in 
response to a request from this committee, GAO concluded that OMB 
needed to assert more leadership on privacy to ensure that agencies 
fulfilled the mandates of the Privacy Act and other government privacy 
law. In fact, there is no one in OMB, no office in the federal 
government, no high-level official, not even a political appointee or 
member of the Senior Executive Service, whose job it is to focus full-
time on government-wide privacy policy. This stands in stark contrast 
to many other countries, including those in the European Union, which 
have elevated privacy policy to the highest levels of government. This 
absence of leadership is a message we will hear loud and clear today.
    I look forward to the testimony and to working together to ensure 
that our privacy laws continue to provide appropriate and meaningful 
protections for our citizens. Senator Collins.

    Senator Lieberman. Senator Collins.

              OPENING STATEMENT OF SENATOR COLLINS

    Senator Collins. Thank you. Thank you, Mr. Chairman, for 
holding this important hearing.
    We live in a world of unprecedented access to information. 
Data are being collected and stored in quantities of almost 
unimaginable size by a wide range of public and private 
entities. People freely share personal information about 
themselves on blogs or social networking Web sites. At the same 
time, most Americans believe that protecting some degree of 
personal privacy is a fight worth waging in the Digital Age.
    In 1974, Congress passed the Privacy Act to establish rules 
for government's use of computerized recordkeeping systems. To 
provide some context, in that same year, President Nixon 
resigned the presidency in the wake of the Watergate scandal. 
Gasoline cost 55 cents per gallon. And an exciting new gadget--
the pocket calculator--was just beginning to appear on store 
shelves.
    Thirty-four years later, as we hold this hearing, six 
presidents have occupied the Oval Office, the average cost of 
gasoline exceeds $4 per gallon, and the BlackBerrys that the 
Chairman and I depend so heavily on can do more than all but 
the most sophisticated computers of 1974.
    Yet with very few modifications, the 1974 Privacy Act has 
remained the primary law governing the Federal Government's 
collection, storage, and use of personal information about its 
citizens.
    Obviously, technology has changed dramatically during the 
past 34 years. The Federal Government can now gather, store, 
and share information much more efficiently than was even 
contemplated 34 years ago. Yet it is a testament to the 
original drafters of the Privacy Act that, in spite of these 
significant advances in technology, many of the law's 
provisions remain applicable to the technology in use today.
    Nevertheless, as the GAO and our other witnesses will 
testify, current law could be strengthened to improve 
assurances that personal information is legitimately collected 
and adequately secured.
    We should build on the success of the original law while 
ensuring that it is adequate to meet the new challenges of the 
Information Age. We can accomplish this by remaining true to 
the principles of openness, accuracy, transparency, and 
accountability that underpin the Fair Information Practices, 
which were developed by the U.S. Government and endure as 
guiding principles for protecting the privacy and security of 
personal data.
    This hearing will examine several important questions. 
First, are the rules governing the collection and use of 
personal information clear to both the officials who have 
access to it and the public that provides it? System of Records 
Notices, descriptions of routine uses of information, and other 
basic tools of the privacy regime are supposed to describe 
various information systems so that government officials and 
the public will know when and how personal information can be 
collected and shared. In many cases, however, the tools are 
worded so broadly that they really provide little clarity as to 
which rules govern any particular information system.
    Second, how can we ensure the security of personal 
information collected and maintained by the U.S. Government? 
Unfortunately, there are far too many recent examples that 
demonstrate the need for the Federal Government to better 
secure the sensitive information that it collects and 
maintains.
    For example, in 2006, the Veterans Affairs Department 
reported that the personal information of approximately 26.5 
million veterans was compromised when a laptop containing 
departmental records was stolen. A 2007 study by the Inspector 
General for Tax Administration found that at least 490 laptops 
containing sensitive taxpayer data had been lost or stolen 
between 2003 and 2007. But lost or stolen laptops are not the 
only security concern, as is evidenced by a 2006 data 
compromise of employee information at the Department of 
Agriculture that was caused by unauthorized access to the 
agency's systems.
    Beyond the physical and cyber security of sensitive data, 
we must also ask what is the best way to deal with innovative 
technologies--such as data mining--that seek to use information 
in entirely new ways. Technology develops so rapidly in this 
day and age that we will need to be more vigilant in ensuring 
that the wheels of progress are not inadvertently running over 
our basic privacy rights.
    And, finally, how can we continue to encourage the 
legitimate sharing of accurate information among government 
agencies for legitimate purposes while maintaining adequate 
controls to hold accountable those who might compromise an 
individual's privacy by misusing their personal information? 
The recent inappropriate searches by State Department 
contractors of the passport files of Senators McCain, Obama, 
and Clinton highlight the need for improvements in this area. 
Prohibitions against unauthorized use of the passport system 
did not prevent these improper inquiries, although audit 
mechanisms did facilitate prompt administrative action against 
the contractors responsible. As the government searches for 
ways to improve the sharing and the analysis of the information 
it collects, we must develop effective security measures and 
consider whether our laws properly sanction those who use 
sensitive information for inappropriate purposes.
    This hearing is yet another step in a robust dialogue now 
occurring about privacy in our country. A strong privacy 
regime, built on the principles of transparency, 
accountability, and security, should inspire the confidence of 
the American people that the Federal Government is not 
compromising personal privacy but, rather, preserving and 
protecting it. Doing so, however, in the Digital Age is a new 
challenge.
    Thank you, Mr. Chairman.
    [The prepared statement of Senator Collins follows:]
                 PREPARED STATEMENT OF SENATOR COLLINS
    We live in a world of unprecedented access to information. Data are 
being collected and stored in quantities of almost unimaginable size by 
a wide range of public and private entities. People freely share 
personal information about themselves on blogs or social networking Web 
sites. At the same time, most Americans believe that protecting some 
degree of personal privacy is a fight worth waging in the digital age.
    In 1974, Congress passed the Privacy Act to establish rules for 
government's use of computerized record-keeping systems. In that same 
year, President Nixon resigned the presidency in the wake of the 
Watergate scandal. Gasoline cost 55 cents per gallon. And an exciting 
new gadget--the pocket calculator--was just beginning to appear on 
store shelves.
    Thirty-four years later, six presidents have occupied the Oval 
Office, the average cost of gasoline exceeds $4 per gallon, and the 
Blackberrys that the Chairman and I depend on can do more than all but 
the most sophisticated computers of 1974. Yet with very few 
modifications, the 1974 Privacy Act has remained the primary law 
governing the federal government's collection, storage, and use of 
personal information about its citizens.
    Obviously, technology has changed dramatically since the Privacy 
Act was written. The federal government can now gather, store, and 
share information more efficiently than was even imagined possible 34 
years ago. Yet it is a testament to the original drafters of the 
Privacy Act that in spite of these significant advances in technology, 
many of its provisions remain applicable to the technology in use 
today.
    Nonetheless, as the GAO and our other witnesses will testify, 
current law could be strengthened to improve assurances that personal 
information is legitimately collected and adequately secured. We should 
build on the success of the original laws while ensuring that they are 
adequate to meet the new challenges of the Digital Age. We can 
accomplish this by remaining true to the principles of openness, 
accuracy, transparency, and accountability that underpin the Fair 
Information Practices, which were developed by the U.S. government and 
endure as guiding principles for protecting the privacy and security of 
personal information.
    This hearing will examine several important questions. First, are 
the rules governing the collection and use of personal information 
clear to both the officials who have access to it and the public that 
provides it? System of Records Notices, descriptions of routine uses of 
information, and other basic tools of the privacy regime are supposed 
to describe various information systems so that government officials 
and the public will know when and how personal information can be 
collected and shared by the government. In many cases, however, these 
tools are worded so broadly that they provide little clarity as to what 
rules govern any particular information system.
    Second, how can we ensure the security of personal information 
collected and maintained by the U.S. government? Unfortunately, there 
are far too many recent examples that demonstrate the need for the 
federal government to better secure the sensitive information that it 
collects and maintains.
    In 2006, the Department of Veterans Affairs reported that the 
personal information of approximately 26.5 million veterans was 
compromised when a laptop containing Department records was stolen. A 
2007 study by the Inspector General for Tax Administration found that 
at least 490 laptops containing sensitive taxpayer data had been lost 
or stolen between 2003 and 2007. But lost or stolen laptops are not the 
only security concerns, as in a 2006 data compromise of employee 
information at the Department of Agriculture that was caused by 
unauthorized access to the agency's systems.
    Beyond the physical- and cyber-security of sensitive data, we must 
also ask what is the best way to deal with innovative technologies--
such as data mining--that seek to use information in entirely new ways. 
Technology develops so rapidly in this day and age that we will need to 
be vigilant to ensure that the wheels of progress are not inadvertently 
running over our basic privacy rights.
    And, finally, how can we continue to encourage the sharing of 
information among government agencies for legitimate purposes while 
maintaining adequate controls to hold accountable those who might 
compromise an individual's privacy by misusing their personal 
information? The recent inappropriate searches by State Department 
contractors of the passport files of Senators McCain, Obama, and 
Clinton highlight the need for improvements in this area. Prohibitions 
against unauthorized use of the passport system did not prevent these 
improper inquiries--though audit mechanisms did facilitate prompt 
administrative action against the contractors responsible. As the 
government searches for ways to improve the sharing and analysis of the 
information it collects, we must develop effective security measures 
and consider whether our laws properly sanction those who use sensitive 
information for inappropriate purposes.
    This hearing is yet another step in a robust dialog now occurring 
about privacy in this country. A strong privacy regime, built on 
principles of transparency and accountability, should inspire the 
confidence of the American people that the federal government is not 
compromising personal privacy but rather preserving and protecting it.

    Chairman Lieberman. Thank you, Senator Collins, for that 
excellent opening statement.
    Let me say again how much I appreciate the leadership role 
that Senator Akaka has played on these matters, and I would 
like now to ask him if he would like to make an opening 
statement.

               OPENING STATEMENT OF SENATOR AKAKA

    Senator Akaka. Thank you very much, Mr. Chairman. I also 
want to welcome the panel and thank you and Ranking Member 
Collins for having this hearing today.
    Two years ago, following our joint hearing on the 
Department of Veterans Affairs (VA) data breach, I requested 
that this Committee take a closer look at the Privacy Act to 
see if it continued to protect Americans' personal information 
in this increasingly electronic age. Systems and procedures to 
prevent loss or unauthorized disclosure are not enough. Data 
security also relies on a robust privacy framework that 
minimizes the collection, use, and sharing of personal 
information and provides individuals the opportunity to access 
their data and correct any mistakes.
    For the past few years, I have been looking into Federal 
data collection and privacy issues and asked GAO for several 
reports. And today GAO is releasing two reports which I and 
others requested: One on the need for updating the Privacy Act 
and another on the need to consolidate privacy functions with a 
Senior Privacy Officer. And I agree with the GAO's findings, 
and I am glad to see that the Chairman also believes that the 
Privacy Act needs to be updated.
    Without strong privacy oversight, I fear that key privacy 
safeguards will fall through the cracks and Americans' personal 
information will remain at risk. Furthermore, I believe that 
the framework for protecting privacy in the Federal Government 
needs to be updated and loopholes closed. Failure to do so 
risks inaccurate information guiding our national security 
decisions as well as Americans' access to government services 
and benefits.
    I look forward to working with the Chairman and Ranking 
Member on legislation to address these issues, and, Mr. 
Chairman, I would like to ask that my full statement be made 
part of the record.
    Chairman Lieberman. Without objection, so ordered, and 
thank you very much, Senator Akaka, for those words.
    [The prepared statement of Senator Akaka follows:]
                  PREPARED STATEMENT OF SENATOR AKAKA
    Thank you Chairman Lieberman and Ranking Member Collins for holding 
today's hearing on the Privacy Act.
    Two years ago, following our joint hearing with the Veterans' 
Affairs Committee on the data breach at the Department of Veterans 
Affairs--which risked the personal information of 26.5 million veterans 
and active duty military--I requested that this Committee take a closer 
look at the Privacy Act to see if it continued to protect American's 
personal information in this increasingly electronic age. While our 
hearing at that time was focused on information security practices, I 
knew that we also needed to look at the safeguards for the collection, 
use, and sharing of personal information.
    Data security does not just rely on systems and procedures to 
prevent loss or unauthorized disclosure. It also relies on a robust 
privacy framework that minimizes the amount and use of personal 
information and provides individuals the opportunity to access their 
data and correct any mistakes.
    For the past few years I have been looking into federal data 
collection and privacy issues. At my request, the Government 
Accountability Office (GAO) conducted several investigations on federal 
data mining activities and found that federal agencies are not 
following all key privacy and information security practices. In its 
May 2004 report, GAO found 122 data mining activities in the federal 
government that use personal data. Thirty-six of these activities mined 
personal information from the private sector and 46 activities mined it 
from other agencies. This included student loan application data, bank 
account numbers, credit card information, and taxpayer identification 
numbers. The use of private sector data and the failure of agencies to 
follow key privacy requirements limit the ability of the public to 
control their personal information and risks the denial of government 
services or benefits.
    I believed then, as I do now, that a strong privacy official at 
each federal agency would help ensure compliance with federal privacy 
and information security laws. Unfortunately, according to a report 
being released today by GAO, despite the fact that federal agencies are 
required to designate a senior official for privacy, some of these 
officials still do not have full responsibility for all of the major 
privacy functions. Without such oversight--from ensuring compliance 
with privacy laws to providing redress procedures and privacy 
training--I fear that key privacy safeguards will fall through the 
cracks and Americans' public information will remain at risk.
    Today, however, our focus is on how the law is working. According 
to GAO and many privacy experts, the framework for protecting privacy 
in the federal government needs to be updated and loopholes closed. 
Whether it is the ineffective definition of System of Records or the 
ever expanding list of routine uses, we need to reexamine the Privacy 
Act and related privacy laws to ensure that they work in the 21st 
century. Failure to do so risks inaccurate information guiding our 
national security decisions as well as Americans' access to government 
services and benefits.
    I believe that legislative changes are needed to the federal 
privacy framework and look forward to working with the Chairman and 
Ranking Member to address these issues. Thank you again for holding 
this hearing.

    Chairman Lieberman. Let's go right to the panel. Again, I 
would like to welcome you all. Our first witness is Linda 
Koontz, who is the Director for Information Management Issues 
at the Government Accountability Office, with responsibility 
for issues concerning the collection, use, and dissemination of 
government information. Ms. Koontz has recently directed 
studies on privacy, records management, data mining, 
information access and dissemination, and E-Government.
    It is a pleasure to have you. Please proceed with your 
testimony.

    STATEMENT OF LINDA D. KOONTZ,\1\ DIRECTOR, INFORMATION 
    MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Ms. Koontz. Thank you, Mr. Chairman and Members of the 
Committee. I appreciate the opportunity to participate in 
today's hearing on government protection of personally 
identifiable information. As you know, collecting such 
information is vital for the Federal Government to provide 
services and benefits, as well as to respond to threats such as 
terrorism. At the same time, government use of personal 
information raises privacy concerns, such as whether the legal 
mechanisms governing such use remains sufficient for protecting 
personal privacy in the context of modern information 
technology.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Koontz appears in the Appendix on 
page 39.
---------------------------------------------------------------------------
    In my remarks, I will present key results from a report 
that we are releasing today on this issue. For our review, we 
assessed the sufficiency of current laws and guidance for 
protecting personally identifiable information and identified 
alternatives for addressing issues raised by our assessment.
    The primary relevant statute is the Privacy Act of 1974, 
which is the major mechanism for controlling Federal 
collection, use, and disclosure of personally identifiable 
information. The Act's provisions are largely based on a set of 
key privacy principles know as the Fair Information Practices, 
which call for such things as limiting the collection of 
personal information, ensuring that information is accurate 
when it is collected, and keeping the public informed of any 
such collections. These widely accepted principles, first 
proposed in 1973 by a U.S. Government Advisory Committee, are 
not legal requirements. However, they do provide a useful 
framework for balancing the need for privacy with other public 
policy interests, and they are used by numerous countries and 
organizations as the basis for privacy laws and policies.
    Besides the Privacy Act, another relevant statute is the E-
Government Act of 2002, which requires agencies to conduct 
Privacy Impact Assessments (PIAs)--that is, analyses of how 
personal information is protected when it is collected, stored, 
shared, and managed in a government information system.
    The two statutes and related guidance from the Office of 
Management and Budget set minimum requirements for agencies. 
But our review showed that they may not consistently protect 
personally identifiable information and may not fully adhere to 
key privacy principles. Based on our analysis, extensive 
discussions with agency officials and the perspectives of 
privacy experts obtained through a panel convened for us by the 
National Academy of Sciences, we identified issues in three 
major areas: First, applying privacy protections consistently 
to all Federal collection and use of personal information; 
second, ensuring the use of personally identifiable information 
is limited to a stated purpose; and third, establishing 
effective mechanisms for informing the public about privacy 
protections.
    In the first area, applying protections consistently, 
issues arise primarily from the scope of the Privacy Act, which 
is limited to what are called ``System of Records.'' These are 
defined as any grouping of records containing personal 
information that is retrieved by an individual identifier. 
Thus, the Act covers personal information in a given 
information system if an agency uses an individual identifier 
for retrieval, but not if some other method is used, such as 
searching for all individuals with a certain medical condition 
or who apply for a certain benefit.
    The resulting inconsistency has led experts to agree that 
the definition of a System of Records is too narrow. The 
Congress could address this issue by revising the definition to 
cover all personally identifiable information collected, used, 
and maintained systematically by the Federal Government.
    The second area, ensuring that use of personally 
identifiable information is limited to a stated purpose, is 
based on the principles that collecting personal information 
should be disclosed beforehand, and use of this information 
should be limited to a specified purpose. When the government 
must define a specific purpose and use for personal 
information, individuals gain assurance that their privacy will 
be protected and the information will not be used in ways that 
could unfairly affect them. However, current laws and guidance 
impose only modest requirements for defining the purposes and 
use of personal information. Agencies may define purposes very 
generally which allows for unnecessarily broad ranges of uses 
without meaningful limitations. These issues could be addressed 
by requiring that specific limits be set on the use of 
information both within and among agencies.
    The third area, establishing effective mechanisms for 
informing the public, is related to both openness and 
accountability. These principles call for informing the public 
about privacy policies and practices and for holding agencies 
accountable for protecting privacy in their use of personal 
information. Currently, these principles are enforced through a 
System of Records Notices that agencies are required to publish 
in the Federal Register. However, it is questionable that such 
a publication effectively informs the public at large. First, 
the notices can be difficult to understand, as they are 
generally written in legalistic terms. Second, they do not 
always contain complete and useful information. And, finally, 
finding relevant notices and determining which ones are in 
force may be challenging. Options to address these issues 
include providing easy-to-understand, brief notices along with 
comprehensive versions, setting requirements to improve the 
content of privacy notices, and revising the Privacy Act to 
require that all notices be published on a central Web site.
    The challenge of how best to balance the Federal 
Government's need to collect and use information with 
individuals' privacy rights in the current environment merits a 
national debate on all relevant issues. In assessing such a 
balance, Congress should consider amending applicable laws 
according to the alternatives we have identified in our report.
    Mr. Chairman, that concludes my statement. I would be happy 
to answer questions at the appropriate time.
    Chairman Lieberman. Thanks, Ms. Koontz. That is a good 
beginning.
    Our next witness is Hugo Teufel III, Chief Privacy Officer 
of the Department of Homeland Security, a position he has 
occupied since July 2006. Mr. Teufel has primary responsibility 
in his position for privacy policy at the Department, including 
compliance with the 1974 Privacy Act and the privacy provisions 
of the E-Government Act. He previously served in the General 
Counsel's office at the Department and, before that, was the 
Associate Solicitor for General Law at the Department of the 
Interior.
    Thanks for being here, Mr. Teufel.

 STATEMENT OF HUGO TEUFEL III,\1\ CHIEF PRIVACY OFFICER, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Mr. Teufel. Thank you very much, Chairman Lieberman, 
Ranking Member Collins, Senator Akaka, and Members of the 
Committee. It is an honor to testify before you here today, and 
I must confess that I am humbled in the presence of my co-
panelists here. Linda Koontz and I have worked together for the 
last 2 years, and we take very seriously the recommendations in 
her reports. And we usually get it right, but sometimes there 
is room for improvement, and she lets us know, and we carry out 
her recommendations, by and large. Ari Schwartz is someone who 
we regularly reach out to, along with other members of the 
privacy advocacy community, and I often seek Mr. Schwartz's 
advice and counsel on issues. And, of course, Peter Swire is 
someone from whom, since the very first week or two of my 
tenure in the Privacy Office, I have sought advice and counsel, 
and it is always great to see him and talk to him and be here.
---------------------------------------------------------------------------
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    I read with interest the formal letter inviting me to come 
and testify, and I noted that this hearing was to consider the 
adequacy of laws and structures with respect to privacy. And, 
of course, this is a Congressional Committee, a Senate 
Committee, and so there will be a lot of talk on the law. I 
would like to spend just a little bit of time on structure 
before I conclude my opening remarks.
    In the 23 months that I have been in the office, I have 
thought a lot about the office and the position of Privacy 
Officer and what it is and what it should be and what it has 
been at other agencies. And so in my opinion, and what I have 
tried to do at the Department of Homeland Security, I have 
grouped our responsibilities into five functional categories: 
Policy, process, incidents and breaches, education, and 
outreach.
    The significance there is that if you look at other Privacy 
Officers--and I will put aside Census Bureau, Internal Revenue 
Service, and Postal Service--most other Privacy Officers and 
Privacy Offices within government often focus on the technical 
aspects and do not necessarily get involved with policy and 
with outreach. Policy is critical as part of Section 222 of the 
Homeland Security Act, and we are the primary privacy policy 
office--that is difficult to say fast early in the morning--at 
the Department of Homeland Security. But outreach is also 
essential because there are a lot of external stakeholders who 
are concerned about what it is that government is doing with 
personally identifiable information.
    So policy, advice--it can be advice and counsel orally 
given or it can be written policy, as we have done with respect 
to Social Security numbers and mixed-use systems, 
administratively extending Privacy Act protections to non-U.S. 
citizens.
    Process, what we think about when we talk about Privacy 
Impact Assessments and System of Records Notices.
    Incidents and breaches--just as it sounds.
    Education, really undervalued but terribly important, 
because whenever humans are involved, people make mistakes. And 
you cannot get rid of mistakes, but you can minimize them, and 
the way to do that is education, education, education.
    And then the last is outreach--part of what we are doing 
today and what we regularly do in and around the D.C. area, and 
sometimes even internationally.
    So having said that, as I was preparing today, I was 
reminded of something that I had heard a couple of weeks ago. 
As you may know, I am going to be graduating this week from the 
Naval War College with a master's in national security and 
strategic studies. The University of Connecticut had not 
started their master's program in homeland security 4\1/2\ 
years ago, or I would have probably entered that program. And 2 
weeks ago, I was at the University of Virginia Law School for 
their National Security Law Institute. And, in fact, we were at 
the Pentagon, and we were listening to Judge Jamie Baker, who 
is the former legal adviser to the National Security Council 
and now is an associate judge on the Court of Appeals for the 
Armed Forces, and he was talking about his office and the 
importance of the legal adviser to the National Security 
Council. And he noted in his remarks that the law and structure 
are important, but they are not conclusive. Senior officials 
have to call on you, and they have to have trust and confidence 
in you as an adviser in order for you to be able to do your job 
effectively.
    And with that, I will stop, and thank you very much.
    Chairman Lieberman. Very interesting. Thank you. The record 
will note that had you had the opportunity, you would have 
become a UConn Huskie. [Laughter.]
    Ari Schwartz is next, familiar with this Committee, but you 
have already received a good introduction from Mr. Teufel: Vice 
President and Chief Operating Officer at the Center for 
Democracy and Technology (CDT). Mr. Schwartz also serves as a 
member of the National Institute of Standards and Technology 
Information Security and Privacy Advisory Board and the State 
of Ohio Chief Privacy Officer Advisory Committee.
    At this time I will ask you to talk about the fact that you 
lead the Anti-Spyware Coalition. We welcome you today and look 
forward to your testimony, Mr. Schwartz.

    STATEMENT OF ARI SCHWARTZ,\1\ VICE PRESIDENT AND CHIEF 
     OPERATING OFFICER, CENTER FOR DEMOCRACY AND TECHNOLOGY

    Mr. Schwartz. Thank you very much, Mr. Chairman, Ranking 
Member Collins, and Senator Akaka, for holding this hearing 
today.
---------------------------------------------------------------------------
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    Thirty-four years ago, the U.S. Congress took the 
revolutionary step toward ensuring that U.S. citizens' 
information in the hands of the Federal Government would be 
treated fairly and with respect. The Privacy Act of 1974 sets 
forth privacy protections that have been an example for 
governments at different levels around the world. While the Act 
reached for the goal of privacy, it was by no means perfect. 
And, in fact, Congress recognized its imperfections even at the 
time of passage, creating a study commission to report back on 
how, among other things, the Privacy Act could be improved.
    The GAO studies released today suggest that the major 
concerns of the Personal Privacy Study Commission of 1977 have 
not only never been addressed fully, but have even worsened 
with time. While the structure of the Act is still solid, 
technological advances have outdated many of the key 
definitions. The Privacy Act guidance from OMB has served to 
confuse as much as it clarified, and the Department of Justice 
has not released its Privacy Act Overview for agencies for 4 
years. This important document had been issued at least every 2 
years since the mid-1980s.
    While the Privacy Act implementation has been allowed to 
decay, Congress has created other protections to help ensure 
greater transparency over collections of personal information. 
The E-Government Act recognized that making more information 
available online was certain to raise new privacy concerns, and 
in order to address this problem, Congress took the step of 
requiring a Privacy Impact Assessment for all new and changed 
collections and new databases. The Privacy Impact Assessments 
were designed to provide greater transparency to how the 
government collects and uses personal information.
    Over the past 6 years, Privacy Impact Assessments have 
become an essential tool to help protect privacy. 
Unfortunately, as with other privacy laws, the Federal 
Government has unevenly implemented even the most basic 
transparency requirements of the PIAs across agencies. Like 
other directives issued by the Administration on privacy, the 
guidance was vague and has simply not provided agencies with 
the tools they need to successfully implement the Privacy 
Impact Assessment requirement unless they already had privacy 
experts on staff.
    Too few agencies have the kind of privacy expertise and 
leadership necessary to develop internal rules and best 
practices or even to comply with existing law. The Department 
of Homeland Security is one agency that has had that kind of 
leadership through its inception through Nuala Kelly, who 
started the privacy program, and now through Hugo Teufel, who 
has already shown us why he is a leader that can bring together 
this kind of program at the agency.
    While privacy experts often focus on these major problems 
as if the only thing harmed is the privacy of Americans, it is 
important to note that they have an even greater impact on the 
effectiveness of the Federal Government. For example, one 
agency that CDT spoke to told us that the privacy audit 
revealed that they had lost track of half of their System of 
Records and, therefore, millions of the personal records held 
by the agency. At the time of the audit, they just did not know 
where this information was.
    As one retiring security official from the Department of 
Interior explained publicly earlier this month while discussing 
that agency's constant failures in privacy and security 
reporting, he said, ``We are promiscuous with our data. We 
don't know where our data is.''
    You can call this a privacy concern, you can call this a 
security concern, or you can call this a data management 
concern. But to the American taxpayer, the loss of their 
personal information is certainly called a failure.
    To solve these problems, CDT suggests that Congress work 
with the Executive Branch on the five following areas:
    One, expanding Privacy Act coverage. CDT agrees with the 
GAO's basic assertion that the Privacy Act key definition of 
System of Records is out of date. We believe that this issue 
must be addressed in legislation and urge the Committee to 
introduce such legislation in this Congress. We suggest a new 
definition that would ensure coverage of all information that 
reasonably can be expected to identify an individual.
    Two, closing Privacy Act loopholes. CDT also urges the 
Committee to consider legislation that would limit the 
``routine use'' exemptions. As GAO found, there are simply no 
current standards across the government for this exemption, and 
agencies have filled the void with an array of confusing and 
overbroad loopholes.
    In addition, we urge the closing of another common 
loophole. Congress should make it clear that the Act's core 
principles apply to commercial data used by government.
    Three, improving Privacy Impact Assessments. As we 
testified before this Committee last year, CDT supports the 
creation of best practices for Privacy Impact Assessments as 
called for in the E-Government Act Reauthorization Act, 
recently passed by this Committee. CDT urges the Committee to 
require PIAs for any program that uses commercial data, whether 
the personal information will be stored in the agency or kept 
outside of the agency. CDT also supports requiring PIAs for 
systems of government employee information.
    Four, improving privacy leadership. When Peter Swire was 
chief privacy counselor, privacy had a higher profile within 
the Federal Government than at any other time. While Professor 
Swire is a unique leader in this space, CDT believes that a 
similar permanent Chief Privacy Officer within OMB written into 
law would help ensure that agencies understand the importance 
of this issue to Congress, to the next Administration, and to 
the Americans that you represent.
    CDT also urges the creation of an independent Chief Privacy 
Officer (CPO) Council with a similar structure to the Chief 
Information Officers (CIO) Council and to the Chief Financial 
Officers (CFO) Council as well.
    And five, increasing and improving privacy reporting and 
audits. OMB requirements for privacy reporting are a major leap 
forward in focusing attention on privacy issues, but getting 
the right implementation and accountability processes in place 
is an essential goal. Most importantly, OMB should be required 
to create standardized measurements for privacy-protecting 
processes. CDT also believes that the Committee should require 
that the systems of greatest privacy risk undergo regular 
audits by Inspectors General and/or, when the IGs are 
overwhelmed or not experts in privacy, by third-party audit 
firms.
    In conclusion, I would like to urge this Committee to act 
this year. In the past, CDT has called for the creation of a 
new 1-year commission to study the Privacy Act and privacy 
policy in the government and offer solutions. But with the 
release of these GAO reports and numerous hearings on this and 
related issues in this Congress, we believe that the basic work 
that would have been done by such a commission has already been 
completed. There is now consensus around a set of 
recommendations for action by Congress and the Executive Branch 
to fill gaps and loopholes in privacy law and policy. CDT urges 
this Committee to draft a bill with the recommendations 
outlined above and quickly bring it to the Senate floor so that 
the next President can have the right tools in place upon 
taking office and can get started immediately on strengthening 
privacy in the Federal Government.
    We look forward to working with you, and we thank you for 
your leadership on this important issue.
    Chairman Lieberman. Thanks very much, Mr. Schwartz. Thanks 
for your specific proposals, too, which are very helpful to the 
Committee.
    The final witness this morning is Peter Swire, the C. 
William O'Neill Professor of Law at the Moritz College of Law 
of the Ohio State University. I want to express relief that I 
have been able to announce that when Senator Carper is not here 
because as a very zealous Ohio State graduate, he probably 
would have created a disruption of some kind. [Laughter.]
    Mr. Swire. There was some discussion of whether to make 
it----
    Chairman Lieberman. Yes, the Big O, right. Also, Professor 
Swire is a Senior Fellow at the Center for American Progress 
specializing in privacy issues. From 1999 to early 2001, during 
the Clinton Administration, he served as the Chief Counselor 
for Privacy in the U.S. Office of Management and Budget.
    Thanks very much for being here, and we welcome your 
testimony now.

STATEMENT OF PETER P. SWIRE,\1\ C. WILLIAM O'NEILL PROFESSOR OF 
     LAW, MORITZ COLLEGE OF LAW, THE OHIO STATE UNIVERSITY

    Mr. Swire. Thank you, Chairman Lieberman, Ranking Member 
Collins, and Senator Akaka, for your attention to these issues 
today. And thanks to your Committee and the E-Government Act of 
2002 for really making Privacy Impact Assessments a major tool 
across the Federal Government. This Committee has been vital in 
protecting and addressing these issues. And it is a pleasure, 
as we have heard across the panel today, being on this panel, 
that GAO has been really a major source of expertise in 
government-wide attention to privacy for a number of years.
---------------------------------------------------------------------------
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    At Homeland Security, Hugo Teufel and his predecessor have 
really built what has become the leading office in any Federal 
agency on privacy issues, and Federal Computer Week, for 
instance, earlier this year recognized Becky Richards of the 
office for her outstanding achievements for compliance in 
privacy. And so it is good to see that kind of recognition from 
the outside world.
    And Ari Schwartz has been obviously a leader on these 
issues for quite a few years now, and we appreciate that.
    In my statement today, I am going to talk about two issues 
and then briefly mention a third. I am going to try to give 
some of my experiences at OMB and some lessons for what that 
means going forward. The main technical substantive issue today 
is on biometrics. I am going to talk about an emerging issues, 
fingerprints and things like that, where I think the Committee 
really should consider action.
    And then in my written testimony, we talk about a third 
issue that I could get to in questions, but I am not going to 
address it in detail. The Center for American Progress released 
a report earlier this month called ``The ID Divide: Addressing 
the Challenges of Identification and Authentication in American 
Society.'' We put together a working group over a period of a 
year to address a wide range of issues--homeland security, 
immigration, voting, privacy, and security. And so we have a 
series of recommendations about how a process to look at 
identification systems would be a good thing to bring into the 
Federal Government as they address this generally going 
forward.
    So turning to OMB and my 2 busy years there, I have five 
points to sort of bring up from that experience. And the 
overarching theme is that in an information-sharing world, we 
have tried to break down the data silos. We have tried to make 
sure that information gets shared across agencies. But, 
unfortunately, we have put the silos back in when it comes to 
privacy protection. So we have an agency over here and an 
agency over there with separate Privacy Officers, but no 
overarching structure for handling privacy across agencies. And 
I think that has really been a lack for the last number of 
years.
    So to get to my list of five things, during the time that I 
was at OMB as a political appointee, a policy official, the 
first thing we did was coordinate across agencies. For 
instance, Ari Schwartz of CDT released a study just a couple of 
months into my time showing we had forgotten to put privacy 
policies up on Federal agencies. And that was deeply 
embarrassing, but it was also deeply helpful because within 4 
months we got all the major Federal agencies to have privacy 
policies up. We saw a problem and could fix it.
    During that time, at the CIO Council we created a Privacy 
Committee, which was active during that time, which made 
Privacy Impact Assessments a best practice at that time. And so 
the E-Government Act was able to build on some things that 
happened in the agencies when the time came. So the first point 
is to coordinate across agencies.
    The second point is to act as a source of expertise. We 
answered Privacy Act questions from around the government. When 
the Health Insurance Portability and Accountability Act 
(HIPAA), the medical privacy rule, was happening, I served as 
White House coordinator for that, and the interagency issues 
were informed by somebody who does privacy across agencies. 
Similarly, when the Gramm-Leach-Bliley Act was being put into 
effect, there were many different agencies involved, and we 
served as a background source of expertise on privacy issues.
    A third point, which people in Congress and the government 
would appreciate, is our role in clearance. You know that in 
the Federal Government, the moment they decide to testify, it 
all goes through OMB. And I was in OMB, and when there was a 
privacy issue, it got routed to my office, and we were able to 
comment with a consistent, informed view on how to handle 
privacy issues.
    The way it works in Homeland Security is Mr. Teufel would 
get to see things as they are happening at DHS. But when it 
goes to OMB, that is somebody else's job at that point. It is 
the next step in the process. So having somebody at the central 
White House level really makes that job work better.
    A fourth point is that I was available for special 
projects. In 2000, the Chief of Staff, John Podesta, asked me 
to chair a White House task force on a tricky set of issues. 
How do you update our wiretap laws for the Internet age? We had 
telephone wiretap laws. How does it work for the Internet? And 
I chaired a 14-agency task force with all the intelligence 
agencies, but it meant there was some privacy expertise in the 
room to work together with the agencies who most were focused 
on gathering information. And we came up with recommendations 
that year.
    And then the fifth point about this OMB position was I 
could serve as a single point of contact. People knew who to 
yell at. The press knew who to call. The public could come to 
us. For the privacy groups, industry groups, and government 
agencies, there was one place to go for a forum and a way to 
talk about these issues going forward.
    So I think those five points suggest some real usefulness 
to having a policy official in the White House structure that 
focuses on privacy going forward.
    There is one lesson, I think, that I learned from that 
time--that it helps to have it be a statutory position. The 
position of the Administration when I was there was, because I 
was not statutory, I was not appropriate to testify in front of 
Congress. So I had to brief other people every time we had a 
privacy-related hearing. And I think that having a statutory 
position would help make sure that Congress would be well 
informed on these issues going forward.
    I am now going to shift to talking for the remainder of my 
time on biometric issues, which I think is a major emerging 
issue. It is vaguely covered by the Privacy Act but has not 
gotten the attention. We have new videos up today at the Center 
for American Progress Web site on this. But I highlight this in 
part because President Bush signed Homeland Security 
Presidential Directive 24 (HSPD-24), his guidance on 
biometrics, on June 9, 2008, using words like ``expanding'' and 
``maximizing'' the use of biometrics. The guidance mentions 
privacy, but does not provide any implementation of what that 
is going to mean going forward. And here is the sort of 
background for concern.
    Computer scientist Terry Boult has raised an issue called 
the ``biometric dilemma.'' The more you use biometrics, the 
less secure they become. And the reason is the more you use 
secrets, the less secret they become. And so, in particular, 
when you think about fingerprints--Secretary Chertoff said not 
too long ago in a press availability that it is very difficult 
to fake a fingerprint. But that is not true. You can do a 
highly advanced research task. Go to Google or your favorite 
search engine and put in ``fake fingerprint.'' And on the first 
page, you will see multiple articles about how to do that for 
under $10. Unfortunate, but true. Go do it. You can do it on 
your BlackBerry probably while we are having the hearing.
    And how effective are these fake fingerprints? Well, Bruce 
Schneier, a famous security expert, tested one of the 
techniques, and he reported, ``against 11 commercially 
available fingerprint biometric systems, it was able reliably 
to fool all of them.''
    And so we have a situation where fingerprints become the 
new data breach problem. If we have great big Federal databases 
full of fingerprints, those are data breaches waiting to 
happen. If you lose your Social Security number or your credit 
card number, you can, you hope, get a new one. You lose your 
fingerprint, it is very hard to get a new finger. And so we 
have this systematic security problem, data breach problem 
going forward if we have these huge government databases 
maximizing and expanding, as the recent directive said.
    There are things to do about this, but they have not been 
done yet. And so in my testimony, I suggest a couple of actions 
this Committee could consider immediately to start to do the 
work on biometrics that I think would be helpful.
    The first idea--and this is part of data breach laws 
generally--is to encourage encrypting transmission of things 
like this, biometrics, and encourage encryption when you store 
them. And so I suggest the E-Government Act of 2002 can be 
amended to provide a default for storing and transmitting 
biometrics in encrypted form. An exception to this ``always 
encrypt'' policy should be permitted only if it is justified in 
a Privacy Impact Assessment, only if it is really a good idea, 
and if it has received specific authorization from the Chief 
Privacy Officer for the agency. So I would like Mr. Teufel to 
have to sign off on it if we are going to have unencrypted uses 
of biometrics around the agency. And it may have to be 
considered whether in the private sector this should apply as 
well because if the private sector compromises these 
biometrics, then the government cannot use them either.
    A second point going forward is that access to biometric 
databases should be very well audited. We saw with the passport 
records of the Senators how audit can be helpful in sending a 
message and training people that they should not be messing 
around in people's files. Biometrics going forward can be 
compromised, and we should audit the possibility.
    And then in the written testimony, I also talk about some 
promising new biometric technologies that are more privacy 
protective. One is called biometric encryption. And I suggest 
reports are appropriate. You could ask Homeland Security and 
the Justice Department Privacy Office to do reports on these 
technologies so that they have to say what works, what does 
not, whether pilot programs are appropriate to fix this.
    In conclusion, when it comes to biometrics, I will go back 
to an analogy I used when the Homeland Security Department was 
being created 6 years ago and I testified in Congress. Too 
often, we see this as if it is a truck where we only have an 
accelerator for some of these uses, but no brakes. And the 
concern with new technologies, if we simply expand biometrics 
without the brakes, is that we could compromise our 
fingerprints and our biometrics for a generation and we cannot 
get them back, so we should build them right in the first 
place. Thank you, Mr. Chairman.
    Chairman Lieberman. Thanks, Mr. Swire. Very interesting and 
obviously informed and helpful testimony. We will do 6-minute 
rounds of questions and keep going until we are finished with 
our questions.
    Ms. Koontz, let me begin with you. The GAO report 
highlights a longstanding concern, which is that agencies are 
sharing and using personal data for purposes beyond the 
original stated purpose. I wanted to ask you to give us a few 
examples that you found in your work of that and indicate to us 
how widespread you think the practice is.
    Ms. Koontz. I think that what we were covering in our 
report is that there are only really very modest limitations in 
the law on sharing. Within an agency, the information may be 
shared as long as it is necessary for an employee to do their 
job. Outside of an agency, it can be shared pursuant to a 
routine use, but I think that all the panelists have commented 
that routine uses over time have become very numerous, very 
broad, and do not serve as a very useful way to limit the 
sharing of information.
    Chairman Lieberman. And, again, this is sharing between 
agencies of the Federal Government.
    Ms. Koontz. Yes. I think we also make the point, though, 
that as we move toward an information-sharing environment, in 
the wake of September 11, 2001, we realize we need to share 
information better than we have in the past. In some cases, 
information also needs to be shared with State and local 
governments, and it needs sometimes to be shared with the 
private sector.
    One of the concerns that we raise in our report is that the 
Privacy Act does not ensure in all cases that the privacy 
protections travel with the data; that is, there are not onward 
transfer provisions that make sure that the protections travel 
with the data when they go outside the hands of the original 
collector and maintainer of the information. So I think that is 
a definite concern going forward that we need stronger 
protections because we foresee that there is going to be more 
sharing. We need stronger protections to ensure that the 
information is protected consistently as it travels.
    Chairman Lieberman. You are quite right that a real focus 
for us on information sharing, again, started in this Committee 
with the legislation based on the 9/11 Commission Report, which 
found that, to use the familiar metaphor, there was no place 
where the dots were located together so that they could be 
connected to try to prevent September 11, 2001, from happening. 
So there is no question that what we are trying to do is really 
encourage--and, insofar as possible, mandate--the sharing of 
information for national security or homeland security 
purposes.
    But is that the major area in which you are concerned? My 
own concern was that other agencies, unrelated to security 
work, are collecting information on American citizens and, 
beyond the stated purpose, sharing that information with other 
agencies for matters unrelated to security.
    Ms. Koontz. I am not sure that I can give you any examples 
where people actually exceeded the purposes for which it was 
originally collected. I think our concern is that it can be 
shared pursuant to all kinds of routine uses, and they are so 
numerous and broad that there are not really meaningful bounds 
on the sharing of information.
    Chairman Lieberman. OK. What are possible solutions to this 
problem?
    Ms. Koontz. In terms of sharing?
    Chairman Lieberman. Yes, sharing among agencies that goes 
beyond the original purpose for which the information was 
collected.
    Ms. Koontz. Right. It is a very important part of privacy 
that the information be only used in the way that is consistent 
with the purpose for which it was collected. So when the 
government told the person when they collected the information 
in the first place that this was the purpose, we need to handle 
that consistently over time.
    There are a couple things. First of all, in the System of 
Records Notices, in the public notices under the Privacy Act, 
there is not a requirement to state an overall purpose. 
Agencies are supposed to state purposes for each of the routine 
uses, but not an overall purpose. We think that requiring 
agencies to state the overall purpose of the collection is 
important. It is also important that they be very specific 
about that purpose so that it serves as a useful constraint.
    We also think that there should be mechanisms so that when 
information is shared outside an agency, that there are 
agreements with outside entities that will constrain the use of 
that information and provide protections to it.
    Chairman Lieberman. That makes sense. Mr. Teufel, just to 
state again the obvious, in the case of a lot of information 
that the Department of Homeland Security and, obviously, the 
National Counterterrorism Center have, the original purpose, if 
you will, that Congress has mandated is that you share the 
information for the collective good. Why don't you talk a 
little bit about how you react to this question about the 
original purpose being exceeded?
    Mr. Teufel. Sure. Well, first of all, I do not think I have 
an answer. Second, what I am going to tell you may run over my 
time, so with the Committee's indulgence, I will do the best I 
can to answer the question.
    Chairman Lieberman. Go ahead.
    Mr. Teufel. We think a lot about routine uses. You may be 
aware, and Ms. Koontz, in a report that she did on my office 
last year, mentions that we have 208 legacy agency System of 
Records Notices. So these are System of Records Notices that 
could be from Department of Energy, Department of 
Transportation, or Department of Justice, and every agency 
approaches System of Records Notices differently.
    Chairman Lieberman. Just for the record give us a brief 
definition of what that means, what a System of Records Notices 
is.
    Mr. Teufel. A System of Records Notice is a document that 
is required to be published under the Privacy Act of 1974 when 
an agency has a System of Records. A System of Records is a 
collection of information about U.S. citizens or legal 
permanent residents that is accessible by some unique 
identifier. So there are a lot of databases out there, and this 
is one of the things that others will talk about, that you can 
have a database that has personally identifiable information in 
it, but it will not be, under the definition in the Privacy 
Act, considered a System of Records. And, accordingly, there is 
not a System of Records Notice published in the Federal 
Register. We put them up on our Web site.
    So we have 208 legacy agency System of Records Notices 
(SORNs), and we are determined by the end of the year to update 
as many of those as possible. So the first thing that we did 
was we revised our guidance that is up on our Web site on how 
to conduct and prepare a System of Records Notice, and we 
looked at routine uses. And often there are routine uses that 
agencies will have, and they will just publish lists of routine 
uses that apply to every System of Records Notice at the 
agency. We do not do that. We do have a template where we list 
standard routine uses that one might see. Some may be for State 
and local information sharing. It might be for health purposes, 
law enforcement purposes, those sorts of things. But we do not 
have blanket routine uses that we have published. We look at 
each and every System of Records Notice when we decide which 
routine uses go into that particular document.
    So we have these 208 System of Records Notices out there, 
and over the last few months, my office and a contractor have 
gone through all of those to look at the different approaches 
and to see where we can harmonize and reduce. And this is 
something that Ms. Koontz had recommended in a report last 
year. There is a requirement under the Privacy Act, and I think 
it is OMB Circular A-130, that we, every 2 years, go through 
and look at System of Records Notices to make sure that we 
actually need the information and what are we doing with it.
    So we have made tremendous progress, and we have draft 
System of Records Notices for all 208. Many we will consolidate 
and go under government-wide, Executive Branch-wide System of 
Records Notices. Others will be DHS-wide, and for the 
remaining, they will be component-specific SORNs. So that is 
part of the answer.
    The other part of the answer is information sharing, and it 
is something that my office really has been grappling with, and 
in the remaining time in my office, it is one of two fairly 
major priorities, the other being cyber security. How do we do 
this? How do we do information sharing as Congress has mandated 
we do, but we do it in a way that is privacy sensitive? And I 
do not have an answer for you. We are working on this issue and 
working very closely with our colleagues at the Department of 
Justice and the Office of the Director of National 
Intelligence, as well as the program manager for the 
information-sharing environment.
    Chairman Lieberman. That is a good answer. Thank you. 
Senator Collins.
    Senator Collins. Thank you.
    Professor Swire, I want to follow up on some of your 
comments on biometrics. Biometrics have really been sold to 
Congress, and I think to the public and by the Department of 
Homeland Security, as the answer. I, therefore, was very 
interested in your comments about the ability to fake 
fingerprints, for example, because I believe as your testimony 
said and as I recall, Secretary Chertoff has been quoted as 
saying, that it is very difficult to fake a fingerprint. And I 
think you are telling us today that it is not.
    The U.S. Visa Waiver Program is based on having biometrics 
included in the exit program so that we can track who is here 
and who is leaving our country. So I am particularly interested 
in your analysis of the rush to embrace biometrics and whether 
they really will result in a better, more secure system, and 
also your red flags about the need for encryption.
    Do you know whether or not the Transportation Security 
Administration (TSA), for example, which is using biometrics 
for the new Clear system at airports to speed on the way 
travelers who have given the Department biometric information, 
do you know if that system is using encrypted data when it is 
being used at the test airports around the country?
    Mr. Swire. Thank you, Senator. I have not reviewed the 
Clear system in particular, so I do not have an answer on that.
    I think that when it comes to biometrics, there are vendors 
who are trying to sell systems, and they want to have people 
believe it is a good answer. And I also think that there is 
enormous pressure to sort of do something, to come up with 
secure ways to do things. And if our current things do not work 
very well, we want to move to the next generation, and 
biometrics has seemed tempting.
    The fact that fingerprints are easy to fake, the basic way 
you do it and the simplest method is if I have a picture of 
your finger, I just--nowadays, pictures come in my cell phone, 
for instance. I just blow it up, put it on my computer, and 
photo-shop it a little bit, and then I am able to print it out 
on a laser printer--this is pretty standard--and I can then get 
Gummy Bears or similar gel from the CVS and put it over my 
finger. And that is basically what it takes.
    You could have fancy machines, which is not what we mostly 
have, that could make sure the pulse is pulsing and things like 
that. But the basic idea that I just put your fingerprint on 
top of my finger is very easy to do.
    So that is known, and biometrics researchers, the sort of 
academic ones who are not trying to sell their products, have 
long lists of articles explaining these vulnerabilities. And 
that is why I think reports from the agencies, maybe including 
the Privacy Office, to really look at these might be one very 
specific step so that the eagerness to do things can be 
tempered by making sure we get the technical part right.
    Senator Collins. Well, it is particularly interesting to 
hear you say that, because several years ago, when I was the 
Chairman of the Permanent Subcommittee on Investigations, we 
did an investigation on how easy it was to counterfeit 
identification using readily available software on the 
Internet. And, indeed, my staff counterfeited, I think, a dozen 
different IDs for me, licenses in five different States, a 
college ID--probably that one would not have been----
    Mr. Swire. You should be careful doing those. There are 
some laws about that.
    Senator Collins. Exactly. [Laughter.]
    Well, I can tell you that the law is a lot stronger after 
we did that investigation. But there were real loopholes in the 
law as far as making that illegal if it is done through the 
Internet. So we are constantly trying to catch up with our laws 
and our policies to the technology that is out there. And your 
comments on biometrics are an excellent caution to us because 
it has been sold as the way to have secure IDs. And now I am 
hearing from you that just as my staff was able to easily 
locate the technology on the Internet to counterfeit 
identifications, now you are telling me that we could do that 
with fingerprints as well.
    So it seems to me there are two issues here. One is: Is 
this technology really increasing security? The second is: How 
do we protect individual fingerprints from being counterfeited 
and used by those who would do us harm.
    Mr. Swire. If we do it badly, our fingerprints will get out 
there. They will be breached, and they will be out there. And 
we cannot get them back, right? So that means for our 
generation that fingerprint will be an insecure identifier. And 
that is a reason to be a step or two more cautious because if 
you screw it up, you have done it for a generation of people.
    Senator Collins. Well, that is why I want to follow up with 
TSA on the Clear system and what the protections are, and I am 
going to turn to Mr. Teufel to see if he knows the answer to 
that.
    When the fingerprint and other information that is given to 
airports that are being used, it it encrypted? Is it retained 
at the airport and, thus, subject to misuse?
    Mr. Teufel. Sadly, the BlackBerry is a wonderful thing, but 
it does not always give me an answer as fast as I might need 
it.
    I do not know the answer, but I can tell you that on our 
Web site, dhs.gov/privacy, we have privacy documentation 
posted, and I believe the answer may be in there. And I will be 
talking with TSA's Privacy Officer, Peter Pietra, on this when 
I get back. So I am just hesitant to give an answer without 
being informed.
    Senator Collins. If you would get back to us on that issue, 
that would be helpful.\1\
---------------------------------------------------------------------------
    \1\ Response from Peter Pietra to Senator Collins appears in Mr. 
Teufel's response on page 36.
---------------------------------------------------------------------------
    Just quickly, because my time is expiring, Mr. Teufel, what 
do you think of the idea that Mr. Schwartz and Mr. Swire have 
raised about having a Privacy Officer at OMB designated in law 
so that it does not depend on the interests of a particular 
Administration to help provide government-wide guidance on 
privacy issues? Would that be helpful to you? Or would it be 
just another layer of bureaucracy?
    Mr. Teufel. Well, I do not think it would be another layer 
of bureaucracy, and certainly as a Privacy Officer, I like 
Privacy Officers.
    Senator Collins. Some of your best friends. [Laughter.]
    Mr. Teufel. Some of my best friends are Privacy Officers. 
But my one concern would be I am just a Privacy Officer for 
DHS, and I am hesitant to speak beyond my role at DHS. And also 
I am mindful of the head of OMB's ability to manage his or her 
office.
    Senator Collins. But just your personal opinion--I realize 
you are not speaking for the Department or the Administration. 
But you are on the front lines day in and day out in the 
Department, that, other than the VA and the Department of 
Health and Human Services (HHS), has the most information about 
Americans, and the Internal Revenue Service (IRS), I suppose.
    Mr. Teufel. Yes, ma'am. I work very closely with Karen 
Evans at OMB, and I think very highly of her. She co-chairs the 
Privacy Committee within the CIO Council, and she has 
designated me to be the Chair of the Cyber Security 
Subcommittee of the Privacy Committee. I think it is a good 
approach, and I like working with her. I think she has provided 
some excellent leadership in the role as the person I interact 
with on a regular basis at OMB for privacy issues.
    Senator Collins. Thank you.
    Chairman Lieberman. Thanks, Senator Collins. I just want to 
point out that Ms. Evans is the E-Government person at OMB.
    Mr. Teufel. Yes, sir.
    Chairman Lieberman. So she is not, as you know, a full-time 
government-wide privacy person.
    I just want to make sure I understand what you said, Mr. 
Swire because it is important to the Committee. What you are 
saying is obviously you have to get somebody else's fingerprint 
to be able to compromise the biometric system.
    Mr. Swire. Yes.
    Chairman Lieberman. So your concern is about the security, 
quite consistent with what we are focused on today, of 
fingerprints that the government has in its possession.
    Mr. Swire. And, in particular, if there are databases that 
the government holds where they just have lots and lots of 
fingerprints in there, if you have a breach of those databases, 
then all those people's fingerprints become compromised.
    Chairman Lieberman. Right, with very significant 
consequences.
    Mr. Swire. Even if it is encrypted at Clear or out at the 
edges, if the database is lying around subject to breach, that 
is a risk.
    Chairman Lieberman. Right. That is a good point. Senator 
Akaka.
    Senator Akaka. Thank you very much, Mr. Chairman.
    GAO's report lays out some solid suggestions about ways to 
strengthen our privacy laws. However, one of the major issues 
not discussed in the report is the list of exemptions to the 
Privacy Act for law enforcement and intelligence activities. I 
believe that this issue merits some discussion since the major 
privacy arguments over the past few years have been with the 
treatment of personal information in the national security and 
homeland security context.
    Can each of you discuss these exemptions and whether you 
have recommendations for changing these sections of the Privacy 
Act?
    Ms. Koontz. I will start us off. The exemptions are 
definitely an issue. They did not come up specifically in the 
work that we did, but we think that, going forward, any 
reconsideration of the provisions of the Privacy Act will have 
to include debate about the law enforcement exemptions and the 
general and specific exemptions in the Privacy Act.
    Mr. Swire. This is related, in my mind, to the information-
sharing environment set of issues because that is where it 
comes up a lot of the time. I wrote an article called ``Privacy 
and Information Sharing in the War Against Terrorism.'' It came 
out about 2 years ago. And it was an attempt to--this was after 
I had worked on the Markle Task Force, which did a lot of 
information-sharing work.
    I think it is somewhat difficult to address it within the 
Privacy Act itself, but what the article called for was an 
expanded process, a sort of due diligence process or an 
expanded Privacy Impact Assessment process, at the time that 
you create new information-sharing programs. I think when you 
are building each one of those programs, an expanded list of 
questions about how to look at it, what should be shared, what 
should not, how do you minimize, and the rest, that might be 
the best way day in and day out to try to address that.
    Mr. Schwartz. I will say, Senator, it is a good question. I 
am hesitant to touch the more general exemptions, especially 
the law enforcement exemption. I think that exemption actually 
is, compared to other law enforcement exemptions, pretty 
tailored for the Privacy Act and fits into the Privacy Act 
pretty well. The problem that we have had is more of these 
routine use exemptions where we see lists of 30 or 40 
exemptions that the agency is just making up at that particular 
time. So if you have a set of 40 exemptions for a particular 
program that, as Ms. Koontz said, does not have a main purpose 
listed in the first place so you cannot compare the main 
purpose to these exemptions and try and figure out how they 
should be used, it is basically giving a complete loophole for 
sharing of the information for many purposes, and maybe for any 
purpose, if these exemptions are written widely enough. And I 
have even spoken with agencies, and with the Postal Service, 
for example, where there was a System of Records Notice that 
they put out a number of years ago, where I questioned the 
existence of some of the routine uses. And they said, ``Well, 
those are just our blanket routine uses; we always put them in 
there. We agree with you they do not make sense for this 
particular program, but those are the ones we always use.''
    So then they went back and they changed their blanket 
exemptions because of our concerns based on that. But most 
agencies have not done that. As I mentioned in my testimony, 
the Department of Defense has 16 routine uses that they use for 
every collection of information. Obviously, not every 
collection is used in exactly the same way 16 times. It makes 
sense to look at how that particular program is being used and 
say this is how we plan on sharing it. If we want to do 
something different, we have to put out another System of 
Records Notice. We have to make a commitment to the American 
people that we are going to let them know what this system does 
and how we are going to use that; and if we change that, we 
have to let them know how we are changing it.
    Mr. Teufel. So what I would reiterate is that we do not at 
the Department of Homeland Security have blanket routine uses. 
For every System of Records Notice, we think about each and 
every routine use individually. Do we need this routine use in 
this particular System of Records Notice? So we are very 
thoughtful or we seek to be very thoughtful in terms of what we 
include in a System of Records Notice.
    With respect to law enforcement and intelligence 
exemptions, I can think of a number of occasions when I have 
had a number of senior staff in my office, and we have gotten 
out our Department of Justice Privacy Act guide and gone 
through and looked at the case law and discussed what the 
meaning is of the particular exemptions and how they apply and 
whether they apply in a given System of Records Notice. And so 
I can tell you with respect to my agency--I cannot speak to 
others--that we seek to be very thoughtful in the use of those 
exemptions and to make sure that they are appropriate for a 
particular system.
    Senator Akaka. Thank you. I have been concerned about the 
impact of data mining on the protection of personal information 
in the Federal Government for a number of years. This includes 
the use of commercial data for data mining. Could each of you 
discuss how the Privacy Act could be amended to cover data 
mining and the use of commercial data? Ms. Koontz.
    Ms. Koontz. I think one thing that could be done is to 
expand the protections of the Privacy Act to all personally 
identifiable information regardless of whether it is retrieved 
by a personal identifier or maintained in some other kind of 
way. We actually have done a number of studies about data 
mining and seen how much it has increased in recent years, as 
well as other analytical initiatives. And it is true that the 
Privacy Act does not currently always cover data-mining kinds 
of initiatives, but this is one way that it could.
    As far as information resellers, one of the reasons that it 
is not always covered by the Privacy Act is that the Act says 
that the government has to maintain the information. So it 
means if someone merely pings a database or looks at a database 
but does not retrieve the information and maintain it, the 
protections of the Privacy Act will not apply in that case.
    Some language along the lines of ``systematic use,'' 
focusing on use rather than maintenance of the information, 
might be an appropriate way to treat that reseller information.
    Mr. Schwartz. First, I would like to strongly agree with 
everything that Ms. Koontz just said, and those are two 
excellent points. The first one that she made on the 
information and identifiability of information I think is a key 
one. The way that the Privacy Act was written, the question was 
whether information is actually being retrieved by name, by 
Social Security number, by a specific identifier. In data 
mining, you are not doing that. You could have a database that 
has 200 times more personal information, than what is 
considered a System of Records today, where you are searching 
on someone's actual Social Security number, and use this new 
database for data mining where you are searching not on the 
person's name, not on the person's Social Security number, but 
for attributes about them. Then that pulls out names and 
information, and that would not be considered a Privacy Act 
System of Records today or covered under the Privacy Act.
    It gets very confusing, but the basic problem is that we 
set up this system, this law, with the idea of what a database 
in the 1970s looked like, where you would search for a 
particular identifier or a particular person's name. We do not 
do that today, and data mining is one key example where you do 
not do that at all today, and the privacy sensitivity may 
actually even be greater than in the kind of database that the 
Privacy Act was written for, although clearly the goals of the 
Privacy Act cover this. And I think some of the agencies have 
taken that idea and said, we have to write Privacy Impact 
Assessments for this kind of data; we should take a step 
further and make sure that this is protected. But it is not 
clear that is being done across the government, and we need to 
make sure that is protected.
    Mr. Swire. Can I just respond? This is the single place 
where technology has changed the most since the 1970s. I think 
this is echoing what we just heard. In the 1970s, you had 
things in files retrieved by name. Today we have things called 
``Search,'' and we can go through huge databases. And so 
changing that is the core of how technology has been changed. 
There are some ideas in the GAO report about ways to possibly 
do it, but it is worth recognizing this is the one place where 
the technology has really shifted and the law has not caught 
up.
    Senator Akaka. Mr. Teufel.
    Mr. Teufel. A couple of very quick things here. First, I 
note that my office is holding a workshop on data mining. I do 
not know if we have the Federal Register notice out yet, but I 
think we have scheduled it for July 24 and July 25, and we will 
be looking at coming up with best practices.
    Second, the Homeland Security Act talks about data mining 
and, if I am not mistaken, talks about the Department looking 
at data mining and doing data mining.
    The third thing is what is the definition of ``data 
mining,'' and my office has issued a series of reports over the 
years--I think in 2006, 2007, and 2008--and every year we have 
a different definition to look at. So without getting into what 
those definitions are, it is important to note that when we 
talk about it, we need to have some common frame of reference.
    And then, finally, with respect to information resellers, 
our Data Privacy and Integrity Advisory Committee has issued 
some reports on that. One of the things that has come out of 
those reports has been that in our PIA guidance, we have made 
some changes so that we ask the question, and then we publish 
in our Privacy Impact Assessments whether information is being 
used that comes from information resellers.
    Senator Akaka. Thank you, Mr. Chairman.
    Chairman Lieberman. Thanks, Senator Akaka. We will go now 
to a second round of 6 minutes for Members who have questions.
    One of the Fair Information Practices underlying the 
Privacy Act is so-called ``data integrity,'' the importance of 
ensuring that personal information the government collects is 
accurate. When this is not the case, it obviously increases the 
risk that individuals will be subject to unfair treatment, in 
this case not only based on violation of privacy but on the 
inaccuracy of the personal data.
    I know that people who spend a lot of time in this field 
have said that inaccurate and incomplete information, so-called 
``dirty data,'' is a large problem in some government programs. 
And, Ms. Koontz, I wanted to ask you first about that. Is it a 
large problem? And is the government investing in technologies 
to monitor and improve data quality? For instance, one of the 
places we have heard it is on the so-called no-fly list, that 
there is a lot of names there that may not be quite right.
    Ms. Koontz. Obviously, data integrity, a big issue across 
government and in the privacy area. The principle really talks 
about the fact that the data has to be accurate enough for the 
purpose for which it is used. So, again, it has to be tied to 
that purpose. Accuracy for one purpose may not be enough for 
another purpose. The no-fly list may need a higher level of 
accuracy than other ones.
    We did not do a compliance audit across government in order 
to determine to what extent agencies were complying with these 
various principles. I will say that when we did our report on 
Privacy Act compliance a number of years ago at your request, 
we did point out that while there was sort of mixed compliance 
across the Federal Government, one area was data integrity that 
needed improvement across 25 agencies that we looked at at that 
point.
    Chairman Lieberman. Mr. Teufel, what is your experience 
with this in the Department of Homeland Security? Do we have a 
dirty data problem in accurate information being collected?
    Mr. Teufel. Well, I think government always can work on 
improving the accuracy, relevance, timeliness, and completeness 
of data that it has. So I do not think I can answer any way 
other than we can always do a better job, and part of our 
effort in looking at all of these legacy SORNs and revising 
them is considering this very issue.
    I also note that, as we discussed earlier with respect to 
law enforcement and intelligence exemptions, there is an 
exemption with respect to accuracy, relevance, timeliness, and 
completeness when it comes to law enforcement and intelligence 
information. And so while I am a Privacy Officer and not an 
intel guy or not a law enforcement guy, I have to at least on 
behalf of the agency mention this, that in those contexts you 
cannot have necessarily accurate, timely, complete information 
because you have sources and methods, some of whom or which you 
cannot attest to the veracity of. You get information that 
comes in, and you will have to assess it and determine its 
credibility, but it may not be accurate, timely, or complete.
    Chairman Lieberman. OK. Mr. Schwartz, and Mr. Swire, let me 
get you both into this question of so-called dirty data. Is it 
a significant problem, inaccurate information, personal 
information being held by government agencies? And if it is, 
are there any mechanisms that we should be putting into place 
to try to clean up the data?
    Mr. Swire. Yes, in our ID Divide report, we have about four 
pages on dirty data problems, and the place that really hits 
home is on matching programs. So, for instance, under the Help 
America Vote Act, there is matching where you delete voter 
rolls if you think there is not the right person signed up. 
Under E-Verify for new hires, you can say somebody is not 
eligible to work. And there has been very high levels of error 
reported and we have detailed footnotes because of this dirty 
data problem.
    What you see is numbers like 3 percent, 5 percent, or 10 
percent of all records have inaccuracies in them, depending on 
which thing you look at. And if you then say you are not 
eligible to vote, you are not eligible to get a job, you are 
not eligible to get a driver's license at that 3- or 5-percent 
level, that is a lot of people's lives that are getting hit.
    And so dirty data directly affects people's lives if they 
get turned down at the Department of Motor Vehicles (DMV) and 
have to try to figure out how to get a driver's license. And so 
that is where you really see it, and those are big numbers, 
millions of people.
    Chairman Lieberman. Those are big numbers. So how do we 
deal with that? I mean, just at the beginning somebody input 
the data inaccurately or did not have accurate information?
    Mr. Swire. It is a long list of things that happen. You 
type it in wrong, or somebody read the reader wrong. But also 
you have nicknames--there are lists of ways. I think that you 
need to have redress procedures. You need to have second ways 
for people----
    Chairman Lieberman. Give me a little more definition of 
what a redress procedure is.
    Mr. Swire. OK. Let's say I go to the DMV and they say you 
cannot get a driver's license because your match is not right 
with Social Security or something. There has to be some way for 
me as a normal person, not having to hire a lawyer, to be able 
to say, look, there is a mistake here, work with me on this. I 
am an American citizen. I am supposed to be able to get a 
driver's license. Social Security says I do not have a match.
    And how those day-in, day-out procedures work when you get 
the bureaucratic ``no'' is something I think we have not spent 
enough time talking about. If we are going to be matching 
databases and we know there are going to be errors, we have to 
have ordinary ways for ordinary people to get it fixed.
    Chairman Lieberman. I agree. Mr. Schwartz.
    Mr. Schwartz. I agree that it is not going to be perfect, 
and I think Mr. Teufel's points are well taken. However, I do 
think that it is a widely acknowledged problem in the Federal 
Government. I think pretty much any agency you speak to 
directly, speak to their Chief Information Officers, and they 
will say, yes, that this is a problem not just with my agency 
but with every agency across government. And it is something 
that we need to address.
    The important piece here is, to get to the point that 
Professor Swire was speaking about, that we do not think of 
privacy as the barrier to getting to better data. There are a 
lot of times where people talk about privacy as a bureaucracy 
that is in place on top of putting these kinds of systems in 
place. In this case, I think that privacy actually is helping 
greater efficiency by making sure that you have the correct 
data. By including people in the redress process and by coming 
up with a redress process that works efficiently and 
effectively, that is not adding bureaucracy to the system. That 
is making sure that the information you have is correct and 
works efficiently. So if we can get that kind of process in 
place where we are correcting data, where we involve the data 
subject, where possible, into that process, I think we are 
going to end up with more efficiency down the road, although it 
is going to take longer to clean up the data in the short term.
    Chairman Lieberman. Mr. Teufel, do you want to add 
something quickly?
    Mr. Teufel. Please, if I may. Redress is an important 
issue, the ability to find out what information government has 
and then correct that information. And I note that at the 
Department of Homeland Security there is DHS TRIP, Traveler 
Redress Inquiry Program, which is a one-stop shop for people 
affected by things that happen at DHS to write in and seek 
redress. And it applies not just to U.S. citizens and legal 
permanent residents, which is one of the restrictions of the 
Privacy Act, but also applies to non-U.S. citizens.
    Chairman Lieberman. This is all done on the Internet?
    Mr. Teufel. Yes, it is.
    Chairman Lieberman. And do you have any sense of how it is 
going?
    Mr. Teufel. It has been awhile since I have looked at the 
figures, but from what I recall, it is very good.
    Chairman Lieberman. Good. Thank you. Senator Collins.
    Senator Collins. Thank you.
    We have talked a lot this morning about potential changes 
in the Privacy Act, the E-Government Act, and other laws. But 
the Fair Information Practices, the principles in that, which 
were developed in 1972, have proven very resilient because they 
are not technology dependent. They are principles like 
openness, transparency, and accountability.
    I would like to ask all of you whether we should be 
considering, in addition to changes in the Privacy Act, any 
changes in the Fair Information Practices. And I will start 
with Ms. Koontz.
    Ms. Koontz. I think you said it already. The Fair 
Information Practices have stood the test of time. The Privacy 
Act is based on the Fair Information Practices. The laws in 
many countries are based on Fair Information Practices, and 
over time, we have used them frequently in our work as a 
framework to look through to look at privacy protections. So I 
would not suggest anything specific.
    Senator Collins. Mr. Teufel.
    Mr. Teufel. As Privacy Officers, we live and die by the 
Fair Information Practices. So it is not making changes to 
them. I think it is adhering rigorously to them.
    Senator Collins. Mr. Schwartz.
    Mr. Schwartz. I agree with that, but I think it is 
important to note that the Fair Information Practices have 
evolved over time. In the 1972 set, we had four listed, and now 
I think when you talk to most people, it is between eight and 
ten, depending on if you merged two together here or there. So 
they have changed over time. Ideas like data minimization, 
which was not in the original set, but is embedded in the 
Privacy Act, is now a term that we use pretty regularly today 
where you are getting rid of data. You are not collecting data 
you do not need, and you are getting rid of it when you do not 
need it anymore. That is one example where we have had a shift 
over time.
    But I think the basic Fair Information Practices still 
exist today, and they were written into the Privacy Act, and I 
think that is the structure of the Privacy Act that we need to 
keep and make sure that we do not tinker with the Act so much 
that we lose that structure.
    Senator Collins. Professor Swire.
    Mr. Swire. I agree with what was said, but there is one of 
them that is under huge pressure--the idea of no secondary use, 
that you just use the data for the reason you started with it, 
and then you do not use it for 100 other purposes. That is 
where the pressure is.
    So within each agency, including the huge Homeland Security 
Department, it can go around for other purposes, not just the 
original purpose, and then these routine uses means it can go 
out of the agency to other agencies, and it can sort of be in a 
free zone.
    And so I think that is the hardest thing, is which uses are 
OK and which ones are not. And it has been hard to figure out 
how to build that into law.
    Senator Collins. Thank you.
    Mr. Teufel, Mr. Schwartz noted in his testimony that there 
are times when the Privacy Impact Assessment is actually 
completed after the project has been developed and approved 
rather than being anticipated beforehand. Is this a problem at 
DHS?
    Mr. Teufel. To the extent it is, it is less and less of a 
problem, and the reason for that is because of a couple of 
things. One is the increase in component Privacy Officers. Last 
year, I made a recommendation to Secretary Chertoff and he 
agreed that we ought to have more component Privacy Officers, 
and so in some of the operational components and department-
level components that did not have Privacy Officers, there are 
now Privacy Officers. Immigration and Customs Enforcement (ICE) 
and Citizenship and Immigration Services (CIS) come to mind. 
TSA had a component Privacy Officer; still does. U.S. Visitor 
and Immigrant Status Indicator Technology (US-VISIT) has one as 
well.
    So having folks on the ground out in the components makes a 
difference because they can work these issues and are much 
closer to the people at the programmatic level who are doing 
things.
    The other thing is that we have been able to--and I hate to 
use the word--operationalize--just because I am not sure that 
is a real word. But we have operationalized privacy throughout 
the Department, so we have really infused ourselves into the 
bureaucratic process. And I do not use that in a pejorative 
way, but government is bureaucracy, and if you can get into the 
bureaucracy, you can make it work for you from a privacy 
perspective. And so we are doing better and better.
    Now, there are always programs that pop up, and we hear 
about them. One popped up earlier this week, and I was after 
hours on the phone with senior officials from a component and 
the General Counsel's Office--Where are we? What is going on? 
And we will be able to get our work done before this program 
goes live. But sometimes we have to be very quick on our feet 
that we make sure that we do a thorough job but a timely job, 
even though the component or the program folks have not told us 
early enough on what they are up to.
    Senator Collins. Thank you.
    Chairman Lieberman. Thanks, Senator Collins.
    Senator Akaka, next. And then we will conclude with Senator 
Carper.
    Senator Akaka. Thank you very much, Mr. Chairman.
    Mr. Teufel, today GAO is releasing a report I requested 
that reviews the responsibilities of senior agency Privacy 
Officers across the government. According to the report, some 
agencies like DHS have placed all of the responsibility under 
one official while others have shared responsibility.
    As the DHS Chief Privacy Officer, what do you believe are 
the benefits of having one individual responsible for privacy 
at an agency?
    Mr. Teufel. Well, I think the benefits that Mr. Swire 
mentioned earlier, that single point of contact, the person who 
is responsible for privacy so that if there is a question or a 
problem, the public, Congress, and people within the agency 
know to whom to go for an answer, to get the situation 
resolved, I think it is important, but I recognize that every 
agency is different, and so some agencies may have less 
involvement with personally identifiable information. For 
others like DHS, a big part of the Department's success is 
reliant on personally identifiable information. So you have to 
have someone who is senior enough and who has access to the 
right people to go in and say, hey, I think there is an issue 
here, we need to talk about it.
    And as I mentioned earlier in my opening remarks, at a lot 
of agencies it makes sense to have someone who is more of a 
technician than a policy person because the privacy issues may 
not be that great at other agencies, and DHS is among them. You 
have to have somebody who is involved with policy and somebody 
who can go into the front office and component leadership 
offices and talk about the issues and work out solutions.
    Senator Akaka. You mentioned having a person at a senior 
level. Where do you think this office should be set? At what 
level of an agency?
    Mr. Teufel. I think it could be any number of places, and I 
think, whether it is an SES-level position or an executive 
schedule-level position, whether it is a direct report to the 
Secretary or perhaps somebody senior within the management or 
the Administration bureau or directorate, as I mentioned 
before, listening to Judge Baker, the important thing is that 
you have that access and that people will listen to you, that 
they have trust in confidence in you and that they will seek 
out your advice and counsel.
    Having said that, there is value to reporting directly to 
the Secretary and Deputy Secretary.
    Senator Akaka. Yes. The reason I asked that is several 
years back, we wanted to bring about changes in accounting in 
Defense, and we set up an office for that. Two years later, the 
person that we were able to put there came to me and said, ``I 
am resigning.'' And I asked, ``Why?'' He said, ``Because I 
cannot make the changes that need to be made.'' He said, ``It 
should be on a higher level.'' This tells me that a privacy 
officer needs to be at a higher level to make a difference.
    Mr. Teufel. I agree with you, Senator, and certainly when I 
have talked to some of my colleagues at other departments, 
senior career employees who are at the GS-15 level, I am not 
sure that at every one of those departments they are able to 
effectuate the policy changes that need to be made at those 
agencies.
    Senator Akaka. Thank you.
    Ms. Koontz, I believe that it is extremely important for 
the public to be aware of how the Federal agencies are using 
their personal information. The GAO report suggests a layered 
notice with a summary of the most important facts up front, 
followed by a more detailed description. However, Privacy 
Impact Assessments, if done correctly, can provide more 
meaningful notice.
    Could you elaborate how under your proposal Privacy Act 
notices could be more easily understood by the public and how 
they would interact with PIAs?
    Ms. Koontz. Generally speaking, the problem with the public 
notices right now is that they are difficult to understand, 
they are treated as a legal compliance factor, and it may be 
hard for the public to identify which ones are in force. 
Publishing them in the Federal Register may not be the best way 
to communicate with the public. I mean, it serves a purpose, 
but I think in addition to publishing in the Federal Register, 
we think that publishing them on the Internet and some kind of 
centralized Web site, privacy.gov or something of the like, 
would be a good step to help the public be able to identify 
them. And then, second, I think the idea of layered notices 
really lends itself to a Web-type of presentation because you 
can provide an overall statement and then you can provide 
details if people want to go deeper into the statement and 
understand more about how the government is using information.
    I agree that the Privacy Impact Assessments can be a useful 
way of communicating with the public. If the agency has done a 
good job talking about why they are collecting the information 
and talking about the trade-offs, that can be an additional way 
of communicating this to the public. My feeling is that privacy 
is a lot about transparency, and having both means of 
communications would still make sense.
    Senator Akaka. Mr. Chairman, may I ask----
    Chairman Lieberman. Please, go right ahead.
    Senator Akaka. Mr. Swire, you mentioned in your testimony a 
report you recently co-authored on identification in America. I 
believe this report is timely considering the fact that DHS is 
working to implement the REAL ID Act. As you may know, Senator 
Sununu and I introduced S. 717 to repeal provisions of the REAL 
ID Act and replace it with a negotiated rulemaking process that 
incorporates States' views and provides privacy safeguards. And 
you also know that some States have rejected the REAL ID Act 
for these same reasons.
    What are your views on S. 717, and the REAL ID Act, in 
general?
    Mr. Swire. Thank you, Senator. I support S. 717. I think it 
is useful, just for a few sentences, to explain why. REAL ID, 
as a process, never was debated in the Senate, never came 
through the Committee process, etc. And I think as a statute, 
there were things that would have been fixed, more stakeholders 
could have been involved and all the rest, if it had a more 
thorough process.
    Going to the negotiated rulemaking means that the different 
expert people, including the States, would be more deeply 
involved, and I think that would create a framework for a 
better long-term outcome.
    Senator Akaka. Thank you. Mr. Chairman, if I may, a short 
one.
    Chairman Lieberman. Sure.
    Senator Akaka. Mr. Schwartz, I understand that you are also 
a member of the Information Security and Privacy Advisory 
Board, which is working with the DHS Data Privacy and Integrity 
Advisory Committee to develop recommendations for revisions to 
the Privacy Act. And that is what we are trying to get at here.
    Can you tell me the status of this joint effort and whether 
other changes to the Privacy Act are being considered outside 
of those listed in your testimony?
    Mr. Schwartz. Thank you, Senator Akaka. I actually just 
joined the Board at the last meeting, which was the beginning 
of this month, but there was a status update on that, and there 
was a discussion. It is a joint group that is working with the 
DHS Advisory Committee as well, and my understanding is that it 
is in its final phases now, and they are expecting to publish 
something sometime this year if they can work out some of the 
details together.
    I think that many of the changes discussed are similar to 
the things in the GAO report from what I was told. I have not 
seen the latest draft, though, so I cannot fully comment on if 
there is anything broader than that. Because I just came to the 
Board, I am not on that Subcommittee at this point. So I will 
try to get a report back to you from the chairman of the 
committee sometime in the next couple of days.
    Senator Akaka. Thank you very much, Mr. Chairman.
    Chairman Lieberman. Thanks, Senator Akaka. Senator Carper, 
I do want to put you on notice that in introducing Professor 
Swire and mentioning his university affiliation----
    Senator Carper. What affiliation is that? [Laughter.]
    Senator Collins. You are just proving what the Chairman 
said would happen. [Laughter.]
    Chairman Lieberman. It is all yours.
    Senator Carper. Ohio State University.
    Chairman Lieberman. That is it.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. I apologize to our panelists, but I was 
just over on the Senate floor with another graduate of Ohio 
State, a law school graduate, Senator Voinovich. And I 
shepherded with the support of, among others, Senator Lieberman 
and Senator Collins legislation to help reduce the emission of 
particulates from diesel engines. There are about 11 million of 
them on the roads. Bad stuff. They create a lot of bad health 
for us. And we appreciate the support of our colleagues in 
getting the legislation done, and on to the President to sign 
into law.
    Professor Swire, he told me that you were here, and he 
said, ``In the French Quarter of Columbus, we pronounce his 
name `Swi-ray.''' And so I said, ``Well, you call him what you 
want. We will call him Swire at the hearing.'' [Laughter.]
    But we are glad that you are here, and thank you all for 
coming.
    I have a statement I would like to share and then maybe a 
question or two, if I could. When I come in late at a hearing 
like this and I have missed your testimony, what I am going to 
ask you to do is just share with me and with my colleagues the 
common ground that you see here, sort of the takeaways, 
evolving from the discussion and from the questioning that 
occurred. So just be thinking about that, if you will.
    Mr. Chairman, thanks very much for holding this hearing. 
And I want to say to Senator Akaka, thank you very much for 
your leadership in bringing us here as well. And sometimes it 
seems that almost every week another agency is compromised by 
suspected hackers or a laptop is lost or stolen by current or 
former employees. And all too often, these events put at risk 
millions of Americans' sensitive information, names, birth 
dates, Social Security numbers, and health information 
included.
    In fact, my staff tells me that there are criminal elements 
in this world that have massive inventories of bank numbers, 
Social Security numbers, and other personally identifiable 
information that are sold to the highest bidder. Some of these 
criminals have been caught--not enough--but largely these 
criminal groups remain immune to our laws here in the United 
States. And a lot of them operate outside of the United States, 
as you know.
    That is why agencies need to ensure that sensitive 
information is protected during its collection, during its 
transmission, and throughout its storage. Placed in the wrong 
hands, this information can leave an individual vulnerable to 
identity theft, which we suffered in our own family, or to 
worse.
    That is one of the reasons I chaired a hearing of the 
Subcommittee on Federal Financial Management, Government 
Information, Federal Services, and International Security on 
March 12, 2008. And we looked into the Federal Information 
Security Management Act. What I found there surprised me. Many 
times agencies do not even know what information they hold. 
They do not know where the information is stored. They do not 
know who has the access and whether that information has been 
compromised.
    Our Federal Government stores some of our Nation's most 
sensitive economic, corporate, and military secrets. It is 
imperative that agencies find a better way to protect not just 
an individual's identity but as much of that sensitive 
information as we possibly can.
    However, I feel the American public is slowly but surely 
losing faith in our government's ability to protect its 
sensitive information. That is why I have asked my staff to 
work hard with some of our colleagues on this Committee on 
reforming this critical information security law. And I look 
forward to working with our Chairman and with my other 
colleagues on this Committee on this legislation to protect our 
Nation's most sensitive information.
    With that having been said, and earlier having telegraphed 
my pitch, we will just ask maybe Professor Swire to lead off. 
Please summarize what you see as common ground and lessons for 
us to take away from this hearing. Thank you. Again, welcome.
    Mr. Swire. Oh, thank you very kindly. Go Buckeyes.
    I think in terms of common ground, one thing I heard is 
that the definition of ``Systems of Records,'' the definition 
in the Privacy Act of what is covered, leaves out a lot of data 
mining. That is a technological change from the 1970s. And how 
to create a legal structure around that, I do not think we have 
any answer to necessarily. There is going to be a workshop 
coming up on that. But the idea that we do not retrieve records 
one at a time now the way we did 35 years ago and we need to 
come up with a new set of ways to deal with that, I think that 
is a strong theme I heard today from pretty much everyone.
    Senator Carper. Thank you, sir. Mr. Schwartz.
    Mr. Schwartz. Well, I will pick one item out from, I think, 
a number of things that the four of us probably agreed on. But 
I think that there was a discussion about changes to encourage 
leadership in privacy across agencies, and there are a number 
of ways to do that, particularly through making sure that we 
have high-level appointees within the agencies and probably 
within OMB as well. But I think that certainly there was 
agreement that it has to be a high-level staff on privacy that 
can take accountability.
    Senator Carper. Thanks very much.
    Mr. Teufel. So my answer to you, sir, would be 
transparency. It is key to the privacy framework in the public 
sector in the United States, and Chairman Lieberman had 
mentioned the European approach. And there are many things the 
Europeans do well, but transparency is not something, I think, 
the Europeans do as well as we can and often do in the United 
States. The goal is for the public to have trust and confidence 
in what its government is doing.
    The other thing that one gets through transparency is that 
it allows the public to make informed decisions that they then 
can let you, the elected representatives of the country, know 
about those views. And so I would stop with that.
    Senator Collins, I did want to mention, thanks to the magic 
of the BlackBerry, Peter Pietra, the component Privacy Officer, 
tells me that Clear is one of the many providers under the 
Registered Traveler Program, and there is a PIA out on the 
Registered Traveler Program, and the data is encrypted.
    Senator Collins. Thank you.
    Senator Carper. We could not have done that 34 years ago, 
could we? [Laughter.]
    Pretty amazing. Thank you. Actually, information like that 
sort of makes my colleagues and I joyful, which rhymes with 
your name ``Teuful.'' [Laughter.]
    Mr. Teufel. Thank you, Senator. I have never heard that 
before. Thank you.
    Chairman Lieberman. That was the proper response to a 
Senator. Very well done. [Laughter.]
    Senator Carper. Ms. Koontz.
    Ms. Koontz. I think we agree that the System of Records 
concept in the Privacy Act is outmoded. It is not consistent 
with current uses of information or the technology that we are 
employing. We would like to see the protections of the Privacy 
Act expanded to all personally identifiable information, 
regardless of how it is held.
    I think another point is that we would like to see 
personally identifiable information, its use and collection, 
limited to a specified purpose.
    And, finally, I agree with the point on transparency. We 
need to promote transparency, and we need to improve the public 
notices in a number of ways that serve as a vehicle for us to 
inform the public about what the Federal Government is doing 
with personally identifiable information.
    Senator Carper. I thank you all. We thank you for being 
here. We thank you for your testimony. And thank you for 
allowing me to look for some common ground and some takeaways 
that should serve us well in the future.
    Mr. Chairman, much obliged.
    Chairman Lieberman. Thank you very much, Senator Carper. 
Actually, your question was a great one to conclude the hearing 
on, and it illuminates what struck me. Senator Collins and I 
were talking about it. As I listened to the testimony, you have 
all been very helpful, and what is also true and significant, 
and not always the case when we bring together a group of 
people from different perspectives on a common issue, is that 
there is quite a consensus among you about what needs to be 
done.
    So you have helped us enormously this morning, and I think 
now we want to consider what we can do and perhaps in a short 
time frame--which, unfortunately, is the case with this session 
of Congress--whether there is some common ground proposal that 
we can come forward with that will not stir up the kind of 
controversy that will block it from being passed or whether we 
want to wait until the next session and do something more 
comprehensive.
    But there is no question, in my mind, anyway, as I listen 
to the testimony or read the GAO reports, that the Privacy Act 
of 1974 is just not up to the realities of 2008 in the age of 
information.
    Senator Collins, did you want to add anything in 
conclusion?
    Senator Collins. Thank you. I just want to thank our 
witnesses. This was an excellent panel, and I very much 
appreciate your leadership, Mr. Chairman. Thank you.
    Chairman Lieberman. Thanks, Senator Collins.
    We will keep the record of the hearing open for 15 days in 
case any of you want to add to your testimony, any answers you 
may not have received already over your BlackBerrys and shared 
with the Committee, or in case Members of the Committee who 
have not been here, or even those who have, have additional 
questions for you.
    But, with that, I thank you very much. The hearing is 
adjourned.
    [Whereupon, at 11:57 a.m., the Committee was adjourned.]
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